I'm confused on the app callback url being the same url as the app banner url. I'm new to app development obviously.
My concern is, when a user clicks to install an app I create, I understand that I need to redirect them with my app's scope for them to install that app in their store. However, after their app has been installed, if the callback url for the app banner is the same as the initial install url, how do I differentiate between an app banner click, and an install app click that are going to the same url?
Clearly I'm missing some key info here on this workflow. I suspect that when the user clicks to install the app, which goes to my callback url there will be $_GET data that will identify the user is installing the app and has not simply clicked on the app banner (post install). Am I correct here? I don't need to redirect them to install the app each time they click on the app banner do I as some kind of re-initialization? I thought the permanent access token would prevent me from having to do this.
Thanks Josh. I get it now. So, I'm currently developing an app and for now I'm just pasting in my redirect install string into the browser adddress bar to simulate a user clicking on a shopify Get App install button in the app store. Is there another way to better simulate this during the development stage?
I wouldn't trust the X-Shopify-Shop-Domain header (because you can't verify that it came from Shopify). Use $_GET['shop'] instead and don't forget to verify the request.
For someone coming to this later, the thread might not make sense because It looks like Josh edited his answer (to remove the insecure recommendation of using X-Shopify-Shop-Domain header). The current recommendation:
You can differentiate new versus existing customers by checking the code parameter and keeping a database of merchants that have your app installed. If the shop is in your database and the hmac is verified, then you can skip the setup.
also has serious security implications IMO. For details see my comment here: http://ecommerce.shopify.com/c/shopify-apis-and-technology/t/need-help-with-hmac-signature-validatio...
You're welcome Josh. Editing comments to change them completely messes up the thread and makes it incoherent for future readers. IMO, it's always better to add another comment than change an existing one (except for typos).
Also, as confirmed by Kevin in the other thread I linked to earlier, the current recommendation in this thread to "skip the setup" is also incorrect.
Another reason (and maybe one that is more important in terms of security) for why the advise to skip the setup if you get a valid hmac is incorrect, is that, if the app is not on https, a man in the middle could intercept the request, play it back and get access to the customer accounts in the app.